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METHOD AND DEVICE FOR CONTROLLING A VEHICLE 



FIELD OF THE INVENTION 

The present invention relates to a method for controlling a vehicle, in which the position of a 
pedal is detected by a sensor, at least two redundant signals corresponding to the position of 
the pedal are generated with the aid of this sensor, and a plausibility check of the redundant 
signals generated by this sensor is performed. The present invention also relates to a device 
for controlling a vehicle including a sensor for detecting the position of a pedal, with the aid 
of which at least two redundant signals corresponding to the position of the pedal are 
generated; and a control and/or regulating unit for controlling and/or regulating a vehicle that 
is capable of performing a plausibility check of the redundant signals. The present invention 
also relates to a computer program which is executable on a computer, particularly on a 
microprocessor. 

BACKGROUND INFORMATION 

A method of the type described above is available in the market. In this conventional method, 
a driver command is transmitted via an accelerator pedal. The position of the accelerator 
pedal is detected via two independent potentiometers, so-called pedal-travel sensors. From 
each of these potentiometers, a signal describing the position of the accelerator pedal is then 
transmitted to the control unit. In the control imit, a plausibility check is then performed using 
these redundant signals so as to be able to detect a defective pedal-travel sensor and take 
suitable measures. 

Redundant systems are frequently used in safety-relevant environments to increase safety in 
the event of a system failure on the one hand and, on the other hand, to be able to perform a 
fault detection using a plausibility check. Depending on the type and extent of the detected 
faults, appropriate measures can then be initiated. 

In the system described above, for example, at least two signals for detecting a driver 
command are generated and transmitted to the control unit. In this context, the driver 
conunand can be transmitted via a pedal, for example an accelerator pedal, a brake pedal or a 
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clutch pedal, and/or a device for detecting the steering angle and/or for detecting a gear ratio 
preselection. 

The control unit then uses these redundant signals for fault detection, as described in German 
5 Patent Application No. DE 100 63 584 for example. 

German Patent Application No. DE 100 06 958 describes a method for the diagnosis of a dual 
potentiometric sensor which detects a faulty sensor on the basis of a comparison of the two 
output signals. 

10 

Particularly for the power control of vehicles, systems are also used that are made up of a 
potentiometric pedal-travel sensor and a switch for detecting the idle position. German Patent 
No. DE 43 39 693 Al, for example, describes such a switch for detecting the idle position. 

15 In so-called contactless sensors, contactless position sensors are increasingly used, the signals 
of which are conditioned by electronic circuits. These electronic circuits are generally 
programmed microprocessors, which are also known as ASICs (Application Specific 
Integrated Circuits) and which are already integrated in the sensors. So that the signal 
generated by the sensors can be transmitted to the control imit, it is generally amplified with 

20 the aid of an output stage that is likewise integrated in the sensors. 

In this connection, a distinction is made between fully redundant systems and partially 
redundant systems. Fully redundant systems include two microprocessors per sensor for 
preprocessing the signal, each microprocessor having an output stage. In partially redundant 
25 system, only one microprocessor is used for preprocessing the signal, the preprocessed 

signals then being transmitted to the control unit via two output stages working in parallel. 

Although partially redundant systems are more cost-effective than fully redimdant systems, 
they do not provide any safety in the case of microprocessor failure. Although fiiUy 
30 redundant systems by contrast offer increased safety in the case of a failure of the 

microprocessor, they are comparatively expensive, and here it can also happen that both 
subsystems fail at the same time. A total failure of a fully redundant system is not completely 
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improbable^ since both subsystems are constructed in the same way and are situated locally in 
close^proximity to each other such that strong electromagnetic or mechanical forces, for 
example, always act on both subsystems. 

5 SUMMARY 

An object of the present invention is to provide redundancy for sensors, particularly 
pedal-travel sensors, which, on the one hand, can be implemented more cost-effectively than 
a fully redundant system, and which, on the other hand, has improved options for failure 
diagnosis. 

10 

In accordance with example embodiments of the present invention, a particular position of 
the pedal is detected by a switch and a signal is generated by the switch, and a plausibility 
comparison of the signal generated by the switch with the signals generated by the sensor is 
performed. 

15 

The switch here represents a system that is mechanically and electronically independent of 
the pedal-travel sensor. This reduces the probability of a simultaneous failure of the 
pedal-travel sensor and the switch and increases the redundancy of the overall system. At the 
same time, a switch of this type is very inexpensive, so that the increased redimdancy can 
20 nevertheless be achieved in a cost-effective manner. 

In an advantageous refinement of the example method, suitable measures for handling the 
fault are implemented when a faulty signal is detected. 

25 For example, if a fault is detected as a result of a comparison of the two signals from the 

partially redundant pedal-travel sensor, then the signal of the switch can be additionally used 
to generate a decision regarding suitable and, as it were, "custom-tailored" measures. The 
existence of the quantity of the switch, however, also makes it possible to detect a complete 
failure of a pedal-travel sensor. 

30 

For example, if the pedal-travel sensor is an accelerator pedal-travel sensor that detects the 
driver's power output command by the position of an accelerator pedal and transmits it, and if 
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the switch is an idle switch, then, with the aid of this switch, it is possible to detect whether 
the accelerator pedal is operated by the driver at all. This can be used to determine whether a 
power output command on the part of the driver is pending or whether the vehicle is to be 
operated at idle speed. If the accelerator pedal-travel sensor in this example delivers irregular 
5 signals and the idle switch does not indicate a power output conmiand on the part of the 
driver, then for safety reasons the control imit will for example take measures to operate the 
vehicle at idle speed. 

If in the case of irregular signals of the accelerator pedal-travel sensor, however, the switch 
10 detects a power output command on the part of the driver, the control unit can for example 
operate the vehicle at low power output, ensuring that the driver has a basic, albeit limited, 
mobility, to be able to leave the area of an intersection, for example, or to be able to drive to a 
nearest service station. 

15 Thus, compared to a fiiUy redundant concept, the redxmdancy concept proposed here has the 
advantage that it is not only more cost-effective to implement but also that in the case of a 
detected fault, suitable measures can be initiated corresponding to a fault type. 

In an example embodiment of the method, the signal generated by the switch is fed directly to 
20 a control and/or regulating imit. 

Thus, the transmission of the signal generated directly or indirectly by the switch is 
independent of the signals generated directly or indirectly by the pedal-travel sensor. This 
additionally reduces a probability of failure of the overall system due to the fact that fault 
25 sources of additional transmitting means are excluded. Moreover, the signal transmission of 
the signals generated by the switch is thus independent of the faults that can occur in the 
transmission of the signals of the pedal-travel sensor. 

Advantageously, in the method according to an example embodiment of the present 
30 invention, the signal generated by the switch is combined with the first signal generated by 
the sensor to form combined information, the combined information is transmitted to the 
control and/or regulating unit, and in the control and/or regulation unit, information 
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describing the first signal generated by the sensor and the signal generated by the switch is 
extracted and compared to another signal generated by the sensor in such a way that a faulty 
pedal-travel sensor is detected. 

In the case of an analog transmission path between the pedal-travel sensor and the control 
unit and between the switch and the control imit, for example, this specific embodiment has 
the advantage of requiring fewer lines. This allows for example for a simple retrofitting of an 
already existing partially redundant system due to the fact that no new lines need to be run in 
the vehicle. 

Thus, in an example of an implementation using an analog transmission path, for example, a 
switch can be used in which a first level of the generated signal corresponds to a zero level in 
the non-switched state. A second level of this switch is higher in the switched state than a 
maximum level that the signal of a first output stage of the pedal-travel sensor can assume. 
Thus, by adding the levels, both signals can be fed to the control imit via a line. 

A comparison is then performed in the control unit to determine whether the level present at 
this line is higher than the maximimi level that the signal of the corresponding output stage 
can assume. If this is the case, then it is assumed that the switch is in the switched state. The 
signal applied to the control unit via the line is then reduced by the level of the switch and is 
interpreted as the signal of the output stage of the pedal-travel sensor. 

Another example of an implementation is based on a system in which the individual 
components communicate via a bus system, i.e., in which the signals are transmitted in a 
digitalized state. Here a combination of the first signal of the pedal-travel sensor with the 
quantity ascertained by the switch has the advantage of a reduced data volume compared to a 
method in which the quantity detected by the switch is transmitted directly via the bus 
system. 

A combination of both signals can usually be achieved in a very simple manner. If, for 
example, a controller area network (CAN) is used to transmit the signals, then the signal of 
an output stage of the pedal-travel sensor is transmitted in a digitalized state by a sequence of 
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bits within a so-called message. .Normally, a single bit is sufficient to transmit a position of a 
switcti. Thus, it suffices, for example, to reserve one bit in each message sent by an output 
stage of the pedal-travel sensor for transmitting the position of the switch. 

5 In a method according to the present invention, the signal generated by the switch preferably 
provides information as to whether or not the pedal is in an idle position. 

If, for example, a fault has been detected on the basis of the comparison of the signals of the 
output stages of the partially redundant pedal-travel sensor, then this signal can be used to 
10 decide what measures are going to be taken. 

If the pedal is an accelerator pedal, for example, and the switch is an idle switch that triggers 
a switching operation when the accelerator pedal is displaced from the idle state, then, if a 
case of a fault is detected and the accelerator pedal is not pressed, the power output control of 
15 the control unit can for example prompt the vehicle to be operated at idle power. However, if 
in an otherwise identical situation, the idle switch indicates that the accelerator pedal is 
pressed, then the power output control of the control unit can bring it about, for example, that 
the engine speed is adjusted to be just high enough to ensure basic mobility. 

20 Advantageously, in the method according to the present invention, an additional signal may 
be generated by another switch and a detection of a faulty pedal-travel sensor and at least one 
faulty switch is performed using the totality of the signals. 

For example, beside the idle switch described above, additional switches are installed for 
25 detecting a driver command for medivmi power output and for full power output. With the aid 
of the information obtained from these switches, more differentiated measures are then put 
into effect in the control unit in case of a fault. In addition, in this example embodiment of 
the method, defective switches in the control unit are also detected using a plausibility 
comparison of the signals of the switches. 

30 

If, for example, a comparison of the signals of the output stages of the pedal-travel sensor 
shows that there is a fault in the pedal-travel sensor, and if three switches detecting different 
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positions of the accelerator pedal indicate that first of all no idle is demanded, that second 
there is a demand for mediimi power output and that third full power output is demanded, 
then the control unit for example can assiune with high probability that fiill power output is 
indeed demanded and can decide for safety reasons to provide at least half the power output 
5 for example. 

However, if in this same situation the first switch indicates a demand to idle, then the control 
unit will decide for example that, in addition to the fault detected in the pedal-travel sensor, at 
least one switch delivers a faulty quantity, and will, depending on the detected fault of the 
10 pedal-travel sensor, for safety reeisons operate the vehicle for example at idle speed or at least 
only at a low power output. 

In another example embodiment of the present invention, there is a switch for detecting a 
specific position of the pedal, which is used to generate a signal, and the control and/or 
1 5 regulating imit has means for performing a plausibility comparison of the redundant signals 
generated by the switch and by the sensor. 

The advantages of this example device and of the subsequent specific embodiments result 
from the above-mentioned advantages of the methods described in the relevant passages. 

20 

In an advantageous refinement of the device, the control and/or regulating imit has a device 
for detecting a faulty signal and for implementing suitable measures for handling faults. In a 
preferred specific embodiment, the switch is directly connected to the control imit via a line. 

25 Advantageously, a device according to the present invention is configured in such a way that 
a device is provided for combining the first signal generated by the sensor with the signal 
generated by the switch to form combined information; a device is provided to feed the 
combined information to the control and/or regulating unit; and the control and/or regulating 
unit has a device to extract information, describing the first signal generated by the sensor 

30 and the signal generated by the switch, from the combined information and for comparing 
this information with another redimdant signal generated by the sensor and for detecting a 
faulty pedal-travel sensor. 
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In a 4pvice according to the present invention, the switch is preferably an idle switch. 

A preferred specific embodiment of the device includes at least one additional switch for 
5 detecting a specific position of the pedal, which is used to generate a signal, and means in the 
control and/or regulating imit for detecting a faulty pedal-travel sensor and at least one faulty 
switch by using the totality of the signals. 

hnplementing the present invention in the form of a computer program may be particularly 
10 important. The computer program may be executable on a computer, particularly on a 

microprocessor, and is suitable for carrying into effect the method according to the present 
invention. Thus, in this case, the present invention is implemented by the computer program, 
so that this computer program represents the present invention in the same manner as does 
the method, for the execution of which the computer program is suitable. The computer 
15 program is preferably stored in a memory element, hi particular, a random-access memory, a 
read-only-memory or a flash memory may be used as memory element. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Further features, uses and advantages of the present invention come to light firom the 
20 following description of exemplary embodiments of the present invention shown in the 

drawings. In this connection, all of the described or represented features, by themselves or in 
any combination, form the subject matter of the present invention, regardless of their 
formulation and representation in the description and in the figures. 

25 Figure 1 shows an overall view of a fiindamental structure of a device for controlling and 
regulating an internal combustion engine. 

Figure 2 shows a block diagram of a partially redundant pedal-travel sensor and a switch, the 
switch being directly connected to a control unit. 

30 
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Figure 3 shows an additional block diagram of a partially redundant pedal-travel sensor and a 
switcli, the signal generated via the switch being combined with a redundant signal of the 
sensor. 

5 Figure 4 shows a flow chart of a plausibility check of the signals generated by a sensor and 
by a switch. 

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS 

Figure 1 shows an example of a fundamental structure of an internal combustion engine Bl 
10 having a control unit 3. Internal combustion engine Bl includes a cylinder B3, in the interior 
of which a piston B2 is guided in a moveable manner. Situated on the side of cylinder B3 
opposite of piston B2 there is an intake valve B5, a discharge valve B6 as well as an injector 
nozzle B9 for injecting fuel and a spark plug BIO for igniting the fiiel-air mixture. The 
interior of cylinder B3 forms a combustion chamber B4, which is bounded by an inner 
15 cylinder wall (without reference niuneral), by piston B2 as well as by intake valve B5 and 
discharge valve B6. 

Injector nozzle B9 is connected to the control unit via a control line L4. In addition, a fuel 
pump B16 connected to injector valve B9 via a fuel line B17 is attached to a fiiel reservoir 
20 tank B15. An ignition coil B14 is connected to control unit 3 via a control line L5 and to 
spark plug BIO via a high- voltage line B7. 

An intake duct B7 leads into combustion chamber B4 via intake valve B5. A throttle valve 
Bl 1, which is controllable by control imit 3 via a control line L2, is mounted in intake duct 
25 B7. In addition, a sensor B13 for detecting the position of throttle valve Bl 1 is mounted in 
the intake duct. The signals generated via sensor B13 are fed to control unit 3 via line L3. 

An exhaust duct B8 leads into combustion chamber B4 via exhaust valve B6. Exhaust duct 
B8 is attached to an exhaust pipe including an emission control system B12. A pedal-travel 
30 sensor 1 for detecting the position of a pedal is also represented. Pedal-travel sensor 1 is 
connected to control imit 3 via a line LI . 
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The basic principle of operation of the internal combustion engine shown in Figure 1 is as 
• • • 

follows: 

While intake valve B5 is open, an air mass controllable in volume by the position of throttle 
5 valve Bll enters combustion chamber B4 via intake duct B7 in the course of a power cycle 
of piston B2. In combustion chamber B4, a fiiel mass controllable by control xmit 3 is injected 
via injector nozzle B9. Subsequently, the fuel-air mixture in combustion chamber B4 is 
ignited by a spark generated at spark plug BIO. 

10 In the operation of internal combustion engine Bl, particularly in a vehicle, a signal from 
pedal-travel sensor 1 describing a position of an accelerator pedal and thus a power output 
request on the part of the driver is fed to control unit 3. Control unit 3 then prompts throttle 
valve Bll via line L2 and an actuator (not shown) to assxmie a specified position. Via 
position sensor B13, control unit 3 ascertains whether the position of the throttle valve 

1 5 corresponds to the specified value. 

In the device represented, the position of the accelerator pedal ascertained by the pedal-travel 
sensor is also used by control imit 3 to control the fuel quantity and the timing of an injection 
of fuel into combustion chamber B4 via injector nozzle B9. 

20 

In addition, control unit 3 controls the timing of an ignition of the fuel-air mixture in the 
combustion chamber via line L5 and ignition coil B14. 

Figure 2 shows a first exemplary embodiment of a device 20 for controlling a vehicle made 
25 up of a partially redundant, contactless pedal-travel sensor 1 already shown in Figure 1, 
which is connected to control unit 3 via signal lines 12 and 13, and a switch 2, which is 
likewise connected to control unit 3 via a signal line 14a. Partially redundant, contactless 
pedal-travel sensor 1 includes a position sensor 4 connected to a pedal 15 and a partially 
redundant electronic circuit 5. This electronic circuit 5 includes a signal-conditioning device, 
30 which is implemented as a programmed microprocessor 6 (ASIC), and two output stages 7 
and 8. Control unit 3 includes a memory 16 and a microprocessor 17 connected via a bus 
system 18. 
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The d.evice shown in Figure 2 operates as follows: 

Via line 9, the signal SO ascertained by position sensor 4 is fed to device 6 for signal 
5 conditioning. Signal SO is then concurrently transmitted via lines 10 and 1 1 to output stages 7 
and 8 and from there is fed to control unit 3 via lines 12 and 13. Switch 2 is a so-called idle 
switch which detects whether the pedal is in the idle position and which transmits this 
information in the form of a signal S3 to control xmit 3 via line 14a. 

10 A comparison of the signals SI, 82 fed by pedal-travel sensor 1 to control unit 3 via lines 12 
and 13 allows control unit 3 to detect a faulty pedal-travel sensor 1. If a pedal-travel sensor 
has been detected as faulty, then control unit 3 uses the information S3 transmitted from 
switch 2 via line 14a to diagnose the fault situation. 

IS If idle switch 2 indicates, for example, that pedal IS is in the idle position, then (in case a 
discrepancy is detected between signals SI and S2) the control unit will take measiu-es to 
operate the vehicle at idle speed. If idle switch 2 by contrast indicates that the driver is 
holding pedal IS in a depressed position, then control unit 3 will choose for example the 
signal SI or S2 of output stages 7 and 8 that corresponds to the lower power output 

20 requirement. 

Idle switch 2 consequently provides an additional deciding criterion for the selection of a 
procedure on the part of control unit 3 in case of a faulty pedal-travel sensor 1 . Furthermore, 
with the appropriate progreimming of control unit 3, an idle switch allows the driver to 
2S control the vehicle, albeit in a highly restricted manner, in the event of a total failure of 
pedal-travel sensor 1 . 

This can be done, for example, in that, when the accelerator pedal is depressed, control unit 3 
provides a power output that allows for a basic movement of the vehicle. 

30 

Figure 3 shows another specific embodiment of a device for controlling a vehicle. In this 
instance, areas, elements and blocks having equivalent functions to areas, elements and 
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blocks of the exemplary embodiment shown in Figure 1 have the same reference numerals. 
Unles.s absolutely required, they are not explained again in detail. 

In the device shown in Figure 3, the signal S3 generated via switch 2 is not fed directly to 
5 control unit 3, but is combined with signal S2a of output stage 8. To this end, the level of 
signal S3 generated via switch 2 is added to the level of signal S2a generated by pedal-travel 
sensor 1. This is indicated by signal transmission line 14b. The signal S2b thus produced is 
then fed to control unit 3 via line 13. 

10 In this example embodiment, control unit 3 includes a device or arrangement to extract, from 
combined signal S2b, which is fed to control unit 3 via line 13, infomiation describing signal 
S2a originally generated by pedal-travel sensor 1 and signal S3 generated by the switch. 

Thus in this specific embodiment, an already existing, partially redundant, contactless 
15 pedal-travel sensor 1 is combined with a switch 2. This increases fault detection and 

improves the options for fault diagnosis without requiring the installation of new lines from 
switch 2 to control unit 3. 

Figure 4 shows a highly simplified flow chart of a method for operating one of the devices of 
20 Figures 2 or 3, which can be used to perform in a vehicle a simple plausibility check of 
signals SI, S2, S3 in control imit 3. 

The method shown in Figure 4 assumes a dominance of switch 2. This means that signal S3 
generated via switch 2 is always assumed as decisive for selecting a suitable power output 
25 control. At the same time, it is assumed in this example that signal S3 arriving in control imit 
3 is error-free. 

The plausibility check is performed for example as soon as the intemal combustion engine 
starts up. In a first query step PSl, a check is then performed to determine whether the 
30 ignition is switched on. If this is not the case, then the plausibility check is terminated. If the 
ignition is switched on, however, then, initially in step PS2, signals SI, S2, S3 are provided 
in suitable form, as binary coded quantities in the registers of microprocessor 17 for example. 

12 

SUBSTITUTE SPECIFICATION 



In a query step PS3, a check is performed to determine whether signal S3 generated by switch 
2 indicates an idle request. If this is the case, then in program step PS4 a value LS, which 
indicates a setpoint value of the power output of the intemal combustion engine, is set to a 
5 value corresponding to idle speed. At this point the dominance of switch 2 chosen for this 
simple specific embodiment becomes evident. Here the power of the intemal combustion 
engine is controlled without taking the signals generated by pedal-travel sensor 1 into 
account. 

10 If signal S3 does not indicate an idle request, then there is branching to the query step PS5. 
There a check is performed to determine whether signal SI and signal S2 describe the same 
pedal travel. If this is the case, then the pedal-travel sensor is diagnosed as error-free. In 
program step PS6, the power output request transmitted by signals SI, S2 is then taken over 
as a setpoint value. 

15 

In the altemative case, the pedal-travel sensor is diagnosed as faulty. Since switch 2 signals a 
power output request, however, in a program step PS7, setpoint value LS is set to a 
predefined value, which ensures a maneuvering capability on the part of the vehicle. 
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